π Nikita Prokopov: Needy Programs
A thought provoking post.
And even if you give up and create [an account for a program that requires one], they will never leave you alone: theyβll ask for 2FA, then for password rotation, then will log you out for no good reason. Youβll never see the end of it either way.
The topic of passkeys came up at work yesterday. A colleague made the suggestion that passkeys should be mandated across everything, with very few exceptions. The reasons he gave are decent, of course: protecting accounts from unwanted intrusions. Yet I didn’t really agree with him. I know for myself I find them a little annoying, and knowing a few people who aren’t as steeped in technology as I are, I do wonder how well they would receive such a mandate. Probably in a similar way to Nikita here.
And it’s a tricky balancing act, because they are more secure than passwords. And so is asking for 2FA, and password rotations, and logging you out after a while (that’s to avoid a session token from leaking and falls into the wrong hands, and being usable for ever). And sometimes they’re necessary: there are a lot of arseholes out there. But they are annoying, and when it comes to authentication, it’s usually the default position of any developer to say “lock down all the things,” without considering tradeoffs.
So yeah, I don’t have a good answer here. Not even sure there is one.
Via: Manton Reece